CMPUT 333, Assignment 2, Winter 2019

(non-sliding part - 70%)

University of Alberta / Department of Computing Science

Instructor: Ioanis Nikolaidis (nikolaidis@ualberta.ca)

(firewalls, network services)

Part 1 (10%)

Your first step to completing this assignment is to choose non-trivial root password for your virtual Linux firewall host and non-trivial Administrator passwords for your virtual Windows host. Use your experience from the previous assignment and the readings of this course to choose strong passwords.

Create one regular user account for each (Linux, Windows) system and associate it with a correspondingly difficult-to-guess password.

Your chosen passwords and the reasons you chose them are to be included in the deliverables of this assignment.

Part 2 (15%)

In this task you will configure services from your own group's virtual network and make them available to outsiders (other groups and the TAs) in a manner which is controlled by your firewall host. In this assignment you may need to configure the Linux iptables. The process of taking measures to avoid locking yourselves "out" of your hosts accidentally will be presented in the labs -- but it is always a possibility and for this reason you should take each step carefully.

First, you need to install and/or configure adequate software to provide http services and anonymous ftp services from both your virtual Linux host and from your virtual Windows host. In doing so, make sure you satisfy the following requirements:

Describe in your report how you performed the above steps. You can use screenshots when helpful. Describe the differences between Linux and Windows on how you achieved the ability to authenticate the user account to allow http content access.

Part 3 (45%)

Your task is to introduce iptables forwarding rules to enforce the following policies, assuming you are group X (where X=1,2,3,4,5,6,7,8,9,10,11,12):

Inbound restrictions:

Outbound restrictions:

Deliverables are the iptables rules you used for the implementation of the above policy. Provide comments that explain the rules you used and why you needed each rule.

Important: Your rules will be marked for their effectiveness, i.e., the least number of rules to achieve the exact desired effect. Rule correctness includes, for example, the ability to allow inbound traffic (as the reverse flow) for a connection that was allowed in the outbound direction, i.e., do not forget that TCP connections are bidirectional and also that some protocols like ftp can operate in either, so called, passive as well as in active mode.

You are expected to provide in your submission all the relevant credentials (e.g., password to your hosts) to the TAs in order for them to accurately test your firewall rules.

Even though we do not talk about UDP services, they should be treated in a manner compatible with the spirit of the above rules. In presenting the rules you decided to use for UDP explain why you thought they are compatible with the provided policy.

It is allowed that you coordinate among groups to have other groups attempt connections (or for you to attempt connections to other groups) so you can check whether your rules are correct. However it is PROHIBITED to share rule files with other groups or to give your passwords to other groups for the sake of logging into your machines.

Part 4 (30%)

Sliding component (due with Assignment 3) will be posted separately.

Deliverables

Only one of the group members need to submit on behalf of the entire group (in the event of more than one submission, the last one will be considered). Your report (in plaintext, markdown, or pdf format) should include answers to the questions posed in the specification. You should cite any resources that you used to produce your answers. Your report should be accompanied by all relevant files, e.g., dump of iptables rules. By default it is assumed that all group members equally contribute to the assignment. If you need to deviate from this model of cooperation, explain why and indicate who was responsible for what.

(The sliding part (and the sliding part only) will be submitted separately by the deadline (non-sliding) part of Assignment 3. It is not due on the deadline of Assignment 2.)


Friday, February 22 2019